We follow current industry standards and best practices. Authentication/authorization is no exception. As part of the Identity and Access Management Strategy for system-to-system integrations, our APIs are based on  OAuth 2.0 and the authorization grant Client Credentials. Every API consumer system will be provisioned in our API Gateway as a Client Application (App).

API key (client_id) and Secret key (client_secret) will be provided to be used by Apps as credentials. Apps will be able to authenticate and get an access token (JWT) within the response payload. Subsequent request authorization will be based on that access token previously retrieved.

A detailed explanation is available in our knowledge base.

Additional security level: Secured OAuth2 flow with client private key

Demands for security measures are always increasing. Upon the existing authentication, we have added an extra security level: Secured OAuth2 flow with client private key.

With this addition, the identification with API key (client_id) and Secret key (client_secret) is replaced by an API Key (client_id) + client_assertion (private key) which will be verified with a stored public key. The access token (JWT) will be delivered and can be used to retrieve data. 

A detailed technical explanation of how to use the increased security level is available in our knowledge base.

If you want to start using the increased security level, please contact your account manager or Service Delivery Manager.